2017-06-12 - TRICKBOT INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-12-Trickbot-infection-traffic.pcap.zip 1.8 MB (1,799,186 bytes)
- 2017-06-12-Trickbot-malspam-tracker.csv.zip 0.9 kB (927 bytes)
- 2017-06-12-Trickbot-email-attachments-and-malware.zip 359.8 kB (359,803 bytes)
Shown above: An example of the emails.
6 EMAIL EXAMPLES:
READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT -- ZIP IN THE ZIP -- EXTRACTED .WSF FILE
- 2017-06-12 15:17:14 UTC -- NoReplyMailbox@harrison-lewis[.]co[.]uk -- Invoice PIS7602708 -- invoicepis7602708.zip -- JXZQTUD.zip -- JXZQTUD.wsf
- 2017-06-12 15:17:59 UTC -- NoReplyMailbox@ukmorgans[.]com -- Invoice PIS6475328 -- invoicepis6475328.zip -- LZTFBQLX6G.zip -- LZTFBQLX6G.wsf
- 2017-06-12 15:19:15 UTC -- NoReplyMailbox@phibberd.globalnet[.]co[.]uk -- Invoice PIS2523626 -- invoicepis2523626.zip -- LZTFBQLX6G.zip -- LZTFBQLX6G.wsf
- 2017-06-12 15:19:24 UTC -- NoReplyMailbox@baileysecretarial[.]co[.]uk -- Invoice PIS2550675 -- invoicepis2550675.zip -- LZTFBQLX6G.zip -- LZTFBQLX6G.wsf
- 2017-06-12 15:19:33 UTC -- NoReplyMailbox@schoony[.]co[.]uk -- Invoice PIS4526120 -- invoicepis4526120.zip -- TOTAHZEQT.zip -- TOTAHZEQT.wsf
- 2017-06-12 15:20:17 UTC -- NoReplyMailbox@sunilx.globalnet[.]co[.]uk -- Invoice PIS8761504 -- invoicepis8761504.zip -- TOTAHZEQT.zip -- TOTAHZEQT.wsf
MALWARE
Shown above: The attached zip archive contains another zip archive which, in turn, contains a Windows Script File (WSF) file.
SHA256 HASHES FOR THE ZIP ATTACHMENTS:
- 2f27185e5f7ada26909971bd5b40e4ebaea9ecf140a14bbc1dc687e3e97804e0 - invoicepis2523626.zip
- 37e190f1947a7b4a43844f5e101bb3cd2635654b200e136502a3beec2f9c0529 - invoicepis8761504.zip
- 79c184367106d0efd1f3154e3100bafca3f3843c973234b10302b5e1e34f15e1 - invoicepis2550675.zip
SHA256 HASHES FOR THE EXTRACTED .WSF FILES:
- 0411fe66e423186a0bce645fb814958e70d460f1bd1528e107a9a81ec51cfc14 - TOTAHZEQT.wsf
- 2317ebe1385283e7ae50f7153048aea4e0747211839522fe9324dc5b0c77e8e9 - JXZQTUD.wsf
- d9351db902a8f3031d0ee410f4682f6896fa8dac8ccfe21d6a6c92f46844ae20 - LZTFBQLX6G.wsf
TRICKBOT SAMPLE:
- SHA256 hash: c305ebba4a998304919ada152c3eb3fe4037baa4526a9c16959b43c754743277
File size: 495,616 bytes
File location: C:\Users\[username]\AppData\Local\Temp\ceRTYeYSAjg1.exe
File location: C:\Users\[username]\AppData\Local\Temp\wvHyIX1.exe
File location: C:\Users\[username]\AppData\Local\Temp\XiIxdgMgRIk3.exe
OTHER MALWARE NOTED:
- SHA256 hash: 239ce47b51508c1adefc8fb753d19075126923e657337f9aebcb63c954266d5a
File size: 98,068 bytes
File location: C:\Users\[username]\AppData\Local\Temp\XiIxdgMgRIk2.exe
TRAFFIC
URLS FROM THE .WSF FILES TO DOWNLOAD TRICKBOT:
- 78tguyc876wwirglmltm[.]net - GET /af/8yhf2ui?[string of characters]
- e67tfgc4uybfbnfmd[.]org - GET /af/8yhf2ui?[string of characters]
- lamartechnical[.]com - GET /8yhf2ui?[string of characters]
- quente[.]nl - GET /8yhf2ui?[string of characters]
- sacrecoeur.bravepages[.]com - GET /8yhf2ui?[string of characters]
- sheekchilly[.]com - GET /8yhf2ui?[string of characters]
- skveselka.wz[.]cz - GET /8yhf2ui?[string of characters]
- syrianchristiancentre[.]org - GET /8yhf2ui?[string of characters]
- ulyanky[.]ru - GET /8yhf2ui?[string of characters]
- ythongye[.]com - GET /8yhf2u?[string of characters]
TRICKBOT POST-INFECTION TRAFFIC:
- ip.anysrc[.]net, ipecho[.]net, wtfismyip[.]com, or possibly others - IP address check
- 85.228.193[.]94 port 447 - Trickbot post-infection traffic
- 89.231.13[.]27 port 443 - Trickbot post-infection traffic
- 5.45.87[.]24 port 447 - Attempted TCP connection, but no response from the server
- 185.203.243[.]113 port 443 - Attempted TCP connection, but no response from the server
Shown above: Traffic from one of the infections filtered in Wireshark.
Shown above: Some alerts on the infection traffic from the Emerging Threats ruleset using Sguil and tcpreplay on Security Onion.
IMAGES
Shown above: Another infection from this malspam (note the different domain for the IP address check).
Shown above: Yet another infection from this malspam (note yet another different domain for the IP address check).
Shown above: Artifacts discovered on one of the infected hosts.
Click here to return to the main page.